rc.subr: Support setting the audit user when starting services
When an unprivileged user restarts a service using, e.g., sudo, the service runs with the audit user ID set to that of the unprivileged user. This can have surprising effects: for instance, a user that restarts a jail that is running sshd will end up with their UID attached to all audit logs associated with users who log in via that sshd instance. (sshd will set the audit user, but this is disallowed in jails by default.) Add support for rc.conf directives which cause rc to override the audit user. Specifically, make <name>_audit_user=foo cause the audit user to be set to "foo" for service <name>. A plain audit_user=foo directive causes all services to be started as foo. Note, like other similar rc features, this feature is limited to rc services which are run by executing a command. Shell functions can't be wrapped this way. Reviewed by: 0mp MFC after: 2 weeks Sponsored by: Modirum MDPay Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D53747
This commit is contained in:
@@ -22,7 +22,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd October 5, 2025
|
||||
.Dd November 14, 2025
|
||||
.Dt RC.CONF 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@@ -190,6 +190,17 @@ Setting this option will bypass that check at boot time and
|
||||
always test whether or not the service is actually running.
|
||||
Enabling this option is likely to increase your boot time if
|
||||
services are enabled that utilize the force_depend check.
|
||||
.It Ao Ar name Ac Ns Va _audit_user
|
||||
.Pq Vt str
|
||||
A user name or UID to use as the
|
||||
.Xr audit 4
|
||||
user for the service.
|
||||
Run the chrooted service under this system group.
|
||||
By default, when an unprvileged user restarts a service using a utility
|
||||
such as sudo or doas, the service's will audit session will point to the
|
||||
unprivileged user, which may be undesirable.
|
||||
In that case, this variable can be used to override the audit user using
|
||||
.Xr setaudit 8 .
|
||||
.It Ao Ar name Ac Ns Va _chroot
|
||||
.Pq Vt str
|
||||
.Xr chroot 8
|
||||
@@ -209,7 +220,6 @@ The
|
||||
value to run the service under.
|
||||
.It Ao Ar name Ac Ns Va _group
|
||||
.Pq Vt str
|
||||
Run the chrooted service under this system group.
|
||||
Unlike the
|
||||
.Ao Ar name Ac Ns Va _user
|
||||
setting, this setting has no effect if the service is not chrooted.
|
||||
|
||||
Reference in New Issue
Block a user